Meraki

Community

Enable Intrusion detection and prevention

romualdt
Here to help
‎Apr 24 2019 11:44 AM
‎Apr 24 2019 11:44 AM

Enable Intrusion detection and prevention

We recently upgraded to the advanced security license and wondering if there is a way to enable/change the Intrusion Detection settings globally for all of or security devices?  Is this exposed via the dashboard API?

0 Kudos
5 Replies 5
GuilhermeMacedo
Getting noticed
‎Apr 24 2019 12:31 PM
‎Apr 24 2019 12:31 PM

You can enable intrusion detection by setting the Mode to Detection under Security & SD-WAN > Configure > Threat protection > Intrusion detection and prevention. When enabling intrusion detection, there are three distinct detection rulesets to choose from using the Ruleset selector:

  • Connectivity: Contains rules from the current year and the previous two years for vulnerabilities with a CVSS score of 10.
  • Balanced: Contains rules that are from the current year and the previous two years, are for vulnerabilities with a CVSS score of 9 or greater, and are in one of the following categories:
    • Malware-CNC: Rules for known malicious command and control activity for identified botnet traffic. This includes call home, downloading of dropped files, and exfiltration of data.
    • Blacklist: Rules for URIs, user agents, DNS hostnames, and IP addresses that have been determined to be indicators of malicious activity.
    • SQL Injection: Rules that are designed to detect SQL Injection attempts.
    • Exploit-kitRules that are designed to detect exploit kit activity.
  • Security: Contains rules that are from the current year and the previous three years, are for vulnerabilities with a CVSS score of 8 or greater, and are in one of the following categories:
    • Malware-CNC: Rules for known malicious command and control activity for identified botnet traffic. This includes call home, downloading of dropped files, and exfiltration of data.
    • Blacklist: Rules for URIs, user agents, DNS hostnames, and IP addresses that have been determined to be indicators of malicious activity.
    • SQL Injection: Rules that are designed to detect SQL Injection attempts.
    • Exploit-kit: Rules that are designed to detect exploit kit activity.
    • App-detect: Rules that look for and control the traffic of certain applications that generate network activity.

The Balanced ruleset will be selected by default.

 

You are able to see more in Configuring_Intrusion_Detection_and_Prevention.

In response to GuilhermeMacedo
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 24 2019 1:50 PM
‎Apr 24 2019 1:50 PM

Great answer by @GuilhermeMacedo .  We use "Security" for 99% of our customers.

 

If you are using a template and have networks bound to it then you can update the template and that will update every site using it.

 

I'm not aware of any API to configure this automatically.

 

For "Content Filtering" we also filter the below four entries for every client, purely for security reasons.  Some clients have more categories, but we use this as our baseline.

  • Bot Nets
  • Illegal
  • Malware Sites
  • Proxy Avoidance

 

This gives you an extra layer of defence.  Content Filtering to stop them accessing bad things in the first place, and IPS to catch the other things.

In response to GuilhermeMacedo
VitorSalles
Just browsing
‎Nov 27 2019 12:42 PM
‎Nov 27 2019 12:42 PM

@GuilhermeMacedo

 

How can I get logs about Intrusion detection and Prevention? There`s a report at Meraki dashboard?

0 Kudos
In response to VitorSalles
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 27 2019 12:51 PM
‎Nov 27 2019 12:51 PM

Navitagte to "Security & SD-WAN/Security Centre" and click on the "MX Events" tab.

 

1.PNG

0 Kudos
CLEBERPENTEADO
Here to help
‎Sep 25 2023 12:45 PM
‎Sep 25 2023 12:45 PM

Hi,

There is another 'granular' detailed way to get logs from MX ?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.